Closed aliciagyt closed 4 months ago
Hi @aliciagyt Here is a new version https://www.npmjs.com/package/@getbrevo/brevo/v/2.1.1 which has many critical and high security vulnerabilites issues fixed. Kindly check this out. Thanks.
@shubhamUpadhyayInBlue I've just updated to 2.1.1 and it still contains the vulnerable version of the request package.
This package has been deprecated since 2020, so you should be looking to move to something new as a priority.
You can see more information about the deprecation here
You can find information about the vulnerability here
Hi @milo-stadion Yes, I agree with you that request module should not be used since it's deprecated. But, since these SDKs are generated using the Openapi generator it's not very straight forward to stop the usage of existing dependency package and keep the SDK backward compatible for all the APIs we support.
It is the same with the remaining Medium
level vulnerabilities. However, I have bumped up the versions of other dependencies to fix the Critical and High level vulnerabilities.
However, we will discuss it to come out with a solution to this problem soon.
Thanks.
Thanks @shubhamUpadhyayInBlue
I currently use version
2.0.0-beta.4
and when I runnpm audit fix
, it signals me that I have 2 moderate vulnerabilities, one onrequest
and one ontough-cookie
, and that fixing them will installbrevo@1.0.1
becausebrevo >=2.0.0-beta.2
depends on vulnerable versions ofrequest
.request
being deprecated anyway (source), do you plan to switch to axios or another library soon? Thanks !